mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-22 14:09:22 +00:00
02b8045517
Long ago we adapted to iptables changes by introducing support
for '-m conntrack':
commit 06844ccbaa
Author: Stefan Berger <stefanb@us.ibm.com>
Date: Tue Aug 6 20:30:46 2013 -0400
nwfilter: Use -m conntrack rather than -m state
Since iptables version 1.4.16 '-m state --state NEW' is converted to
'-m conntrack --ctstate NEW'. Therefore, when encountering this or later
versions of iptables use '-m conntrack --ctstate'.
Given our supported platform targets, we no longer need to
consider a version of iptables before 1.4.16, so can drop
support for the old syntax.
The test suite updates are triggered because that never
probed for the new syntax, and so unconditionally
generated the old syntax.
Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
123 lines
1.6 KiB
Plaintext
123 lines
1.6 KiB
Plaintext
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--destination 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 2 \
|
|
-m conntrack \
|
|
--ctstate NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--source 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 2 \
|
|
-m conntrack \
|
|
--ctstate ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--destination 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 2 \
|
|
-m conntrack \
|
|
--ctstate NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--destination 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 33 \
|
|
--dport 20:21 \
|
|
--sport 100:1111 \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--source 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 33 \
|
|
--sport 20:21 \
|
|
--dport 100:1111 \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--destination 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 33 \
|
|
--dport 20:21 \
|
|
--sport 100:1111 \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--destination 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 63 \
|
|
--dport 255:256 \
|
|
--sport 65535:65535 \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--source 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 63 \
|
|
--sport 255:256 \
|
|
--dport 65535:65535 \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--destination 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 63 \
|
|
--dport 255:256 \
|
|
--sport 65535:65535 \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--tcp-flags SYN ALL \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--tcp-flags SYN SYN,ACK \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--tcp-flags RST NONE \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--tcp-flags PSH NONE \
|
|
-j ACCEPT
|